Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (10)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.src.ip Source IP address. | cisco.meraki.arp_src cisco.meraki.client cisco.meraki.ip cisco.meraki.src | text_general |
gen.src.mac MAC address of the source device. | cisco.meraki.client_mac cisco.meraki.mac cisco.meraki.wired_mac | string |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | cisco.meraki.direction | strings |
gen.dns.server DNS server used for the query. | cisco.meraki.dns_server | strings |
gen.dest.port Destination port number. | cisco.meraki.dport | pint |
gen.dest.ip Destination IP address. | cisco.meraki.dst | text_general |
gen.username Username associated with the event. | cisco.meraki.identity | text_general |
gen.av.infectionName Name of the detected infection or malware. | cisco.meraki.name | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | cisco.meraki.protocol | strings |
gen.src.port Source port number. | cisco.meraki.sport | pint |
Reference-Specific Fields (70)
| Field | Type |
|---|---|
cisco.meraki.action Action taken (e.g., allow, deny) by the security appliance or AP. | string |
cisco.meraki.aid Association ID assigned by the wireless controller for this session. | plong |
cisco.meraki.alarm_id Numeric identifier for the IDS/IPS alarm raised. | plong |
cisco.meraki.anchor Anchor AP identifier for roaming events in MR networks. | string |
cisco.meraki.arp_src MAC address of the ARP request originator in switch events. | string |
cisco.meraki.auth_neg_dur Duration in milliseconds of the authentication negotiation phase. | pfloat |
cisco.meraki.auth_neg_failed Count of failed authentication negotiation attempts. | pint |
cisco.meraki.band Wireless frequency band used (e.g., 2.4 GHz, 5 GHz). | plong |
cisco.meraki.best_ap Identifier of the AP chosen as best candidate during roaming. | string |
cisco.meraki.bssid MAC address of the wireless AP radio serving the client. | string |
cisco.meraki.channel Wireless channel number on which the client was served. | plong |
cisco.meraki.client Client identifier (e.g., device name) as known to the system. | string |
cisco.meraki.client_mac MAC address of the end-user device making the request. | string |
cisco.meraki.connectivity Boolean indicating if the client had successful network connectivity. | boolean |
cisco.meraki.da_vendor Device vendor string discovered via DHCP option 60 or LLDP. | string |
cisco.meraki.decision Final action decision (e.g., permit, deny) by security or traffic policies. | string |
cisco.meraki.device Hardware or virtual device identifier as known to the Dashboard. | string |
cisco.meraki.dhost Destination hostname after reverse-DNS lookup, if available. | string |
cisco.meraki.direction Traffic direction relative to the device (inbound or outbound). | string |
cisco.meraki.disposition Action taken by the MX security appliance (e.g., allowed, blocked, quarantined). | string |
cisco.meraki.dns_req_rtt Round-trip time in milliseconds for the DNS request. | pfloat |
cisco.meraki.dns_resp Time in milliseconds taken to resolve the DNS query for the URL. | pfloat |
cisco.meraki.dns_server IP address of the DNS server the client queried. | string |
cisco.meraki.dos_count Count of Denial-of-Service events detected. | plong |
cisco.meraki.download Amount of data downloaded by the client in KB or MB. | plong |
cisco.meraki.download_unit Unit of the download metric (e.g., KB, MB). | string |
cisco.meraki.dport Destination port number in the flow or session record. | pint |
cisco.meraki.dst Destination IP address or hostname extracted from the URL or flow record. | string |
cisco.meraki.duration Duration in seconds of the flow or session. | pfloat |
cisco.meraki.event_cat Comma-separated list of high-level event categories (e.g., security, wireless). | strings |
cisco.meraki.fc_subtype Sub-category of flow control or traffic shaping event. | plong |
cisco.meraki.full_conn Fraction of full connectivity achieved (0.0-1.0) during network health checks. | pfloat |
cisco.meraki.http_resp Time in milliseconds between sending the HTTP request and receiving the first byte of the response. | pfloat |
cisco.meraki.identity Authenticated user identity (e.g., username or UPN). | string |
cisco.meraki.info Additional free-form information provided by the appliance for this event. | text_general |
cisco.meraki.instigator User or device that triggered the event, by ID. | plong |
cisco.meraki.ip General IP address field used for various roles (client, peer, server). | string |
cisco.meraki.ip_resp Time in milliseconds for an ICMP ping to complete. | pfloat |
cisco.meraki.is_wpa Indicator if the wireless session used WPA/WPA2 encryption. | pint |
cisco.meraki.last_auth_ago Seconds since the last successful authentication event. | pfloat |
cisco.meraki.last_known_client_ip Most recent IP address seen for a client in wireless logs. | string |
cisco.meraki.mac MAC address of the client or peer device in the event. | string |
cisco.meraki.msg Raw syslog message text before parsing into structured fields. | text_general |
cisco.meraki.name Name of the network or device as configured in the Dashboard. | string |
cisco.meraki.packet Packet size or packet count metric for flow records. | string |
cisco.meraki.peer_contact Contact name or identifier for a peer device or user. | string |
cisco.meraki.peer_ident Identity string of the peer in VPN or wireless roaming logs. | string |
cisco.meraki.port Generic port field used when protocol context is known separately. | pint |
cisco.meraki.priority Priority level assigned to traffic by QoS or firewall rules. | plong |
cisco.meraki.protocol Layer-4 protocol used (e.g., TCP, UDP). | string |
cisco.meraki.radio Identifier of the radio interface (e.g., radio0, radio1) handling the client. | pint |
cisco.meraki.reason Text describing the cause for a policy match or event. | string |
cisco.meraki.remainder Any unparsed portion of the log line retained for debugging. | text_general |
cisco.meraki.rssi Received Signal Strength Indicator in dBm for the session. | plong |
cisco.meraki.sha256 SHA-256 hash of a downloaded or inspected file. | string |
cisco.meraki.shost Reverse-resolved hostname of the source IP, if available. | string |
cisco.meraki.signature Name or ID of the threat signature that matched in IDS/IPS events. | string |
cisco.meraki.sport Source port number in the flow or session record. | pint |
cisco.meraki.src Source IP address of the request or flow record. | string |
cisco.meraki.ssid SSID of the wireless network in MR log entries. | string |
cisco.meraki.state Operational state of the device or connection (e.g., up, down). | string |
cisco.meraki.type High-level log type (e.g., URL, Flow, Event). | string |
cisco.meraki.upload Amount of data uploaded by the client in KB or MB. | plong |
cisco.meraki.upload_unit Unit of the upload metric (e.g., KB, MB). | string |
cisco.meraki.url Full URL requested by the client in URL logging events. | string |
cisco.meraki.vap Identifier of the virtual access point (VAP) on MR access points. | string |
cisco.meraki.vlan VLAN ID associated with the session or traffic. | plong |
cisco.meraki.vlan_id VLAN identifier applied to the client or traffic. | plong |
cisco.meraki.vpn_type Type of VPN session (e.g., client, site-to-site). | string |
cisco.meraki.wired_mac MAC address of a wired client in MS switch events. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.